Corellium, the Florida-based virtualization company sued by Apple for creating replicas of the iOS operating system, has responded to the tech giant’s lawsuit.
Corellium provides a virtual version of the iPhone, including the graphical user interface and the underlying code for the iOS operating system and the iTunes software. This can be very useful for finding vulnerabilities and other types of bugs, as well as for testing the functionality of mobile applications on different versions of the iPhone and iOS.
However, the company was sued by Apple, which claims its practices represent copyright infringement. Apple is particularly displeased with Corellium allegedly offering a “private” installation of its product for $1 million per year, and encouraging its users to sell the vulnerabilities they find to the highest bidder rather than disclosing them to Apple.
Corellium this week responded to Apple’s lawsuit, accusing the tech giant of owing it $300,000 for iOS and macOS vulnerabilities reported through its bug bounty program. The company said Apple did not have a problem with its products when they were being used to find security holes submitted to its bug bounty program.
In a heavily redacted 29-page court document, Corellium claims Apple is actually trying to gain full control over how security research is conducted and who is able to conduct such research, including through its lawsuit and the recent announcement that security researchers will be given iPhones specifically configured for security testing.
Corellium says its virtualization technology makes security research much more efficient — if a virtual device is bricked during testing it can be easily restored and these devices can be paused at any time for detailed analysis — and it claims to have made fair use of Apple’s technology. On the other hand, Corellium believes Apple’s behavior “amounts to unfair business practices that must be put to an end by the Court.”
“Apple was not only aware of Corellium’s technology for several years, but actually encouraged its development,” Corellium said. “Rather than tell the real story, Apple paints Corellium as a bad actor, unscrupulously peddling its product to anyone for any reason. But Corellium does not license its platform to anyone. Its end users include well-known and well-respected financial institutions, government agencies, and security researchers.”
It added, “Corellium does not use iOS in its entirety or merely replicate iOS for the same purposes as Apple. Instead, Corellium uses its own proprietary software to facilitate executing iOS on different hardware. When iOS is loaded onto the Corellium platform, it is not only transformed to enable it to run on different hardware, but it is also integrated with third-party tools to improve the utility of the platform for developers. Apple cannot dispute that Corellium implements its own original code and virtual machine in conjunction with third party tools.”